Audit of contracting and procurement

Internal Audit and Program Evaluation Directorate
March 2024

Note: [redacted] appears where sensitive information has been removed in accordance with the Access to Information Act and the Privacy Act.

Introduction

Canadians expect the federal public service to be well managed and to be accountable for the prudent stewardship of public funds, the safeguarding of public assets, and the effective, efficient and economical use of public resources. It is the responsibility of federal departments to ensure that contracting and procurement activities are undertaken in a way that is consistent with these expectations.

The objective of contracting^{Footnote 1} and procurement^{Footnote 2} at the Canada Border Services Agency (the CBSA or the agency hereafter) is to acquire goods, services and construction in a manner that is open, fair and transparent, and results in best value or, if appropriate, the optimal balance of overall benefits to the agency and Canadian taxpayers.

On May 13, 2021, the Treasury Board (TB) issued the Directive on the Management of Procurement which supports the delivery of programs and services to Canadians through the procurement of goods, services and construction. Subsequently, the directive has been updated in:

2022 to document mandatory procedures for contracts awarded to Indigenous businesses
2023 to add additional guidance/requirements for risk-based systems of internal controls information management, proactive disclosure of contracts, transparency throughout the supply chain continuum and values and ethics

The CBSA's contracting limits per the TB Directive includes procurement up to:

Goods: $25,000
Construction: $750,000
Services: $3.75 million

Contract requirements exceeding the CBSA's authority are processed by Public Services and Procurement Canada (PSPC) or Shared Services Canada (SSC).

Significance of this audit

This audit was added to CBSA's Risk Based Audit Plan to provide assurance that CBSA's contract management practices were in compliance with TB Directive and policies.

The Standing Committee on Government Operations and the Standing Committee on Public Accounts have recently scrutinized the federal government's contracting practices. Specifically, external assurance providers have launched audits and reviews of the CBSA's procurement and contracting processes, including:

Performance Audit Contracts Awarded to McKinsey & Company – Office of the Auditor General
Procurement Practices Review: McKinsey & Company – Office of the Procurement Ombud
Performance Audit of ArriveCAN – Office of the Auditor General
Procurement Practices Review: ArriveCAN – Office of the Procurement Ombud

The contracts from the above audits/reviews were scoped out from this audit (refer to the audit objective and scope for details on scope inclusions and exclusions). However, any relevant observations and recommendations have been reflected in this audit report (refer to Appendix B: Previous audits and reviews).

Audit objective and scope

The audit objective is to assess the adequacy and effectiveness of the agency's procurement planning processes, key contract management activities and fraud controls in place to support contracting and procurement activities.

Audit scope

The audit examined procurement activities from April 2022 to July 2023, in order to include the most recent activities and processes
The alignment of procurement capacity and procurement priorities in business planning
Key contract management controls and procedures that support contract administration
Values and ethics and fraud controls

Scope exclusions

Controls/activities taking place in the contract award phase are excluded from the scope. There has been significant coverage of the contract award phase through recent and ongoing internal and external audits/reviews. Additionally, there are open contract award recommendations currently being addressed/implemented by management.

Other scope exclusions include:

contracts related to ArriveCAN and McKinsey & Company (audited by the Office of the Auditor General and the Office of the Procurement Ombud)
all contracts issued based on agreements between the CBSA, Canada Revenue Agency and Shared Services Canada
follow-up of management action plans implemented as a result of previous audits and reviews
acquisition cards

Audit methodology

The audit team employed the following methodology to provide audit-level assurance:

Interviewed 60+ key stakeholders within the Finance and Corporate Management Branch (FCMB) and across the agency and held focus groups
Walkthrough of vendor data maintenance and invoicing process
Reviewed 400+ supporting documents
Sampled 25 contracts to review of the effectiveness of the contract administration activities
Tested fraud controls on vendor data and Accounts Payable data, as well as segregation of duties in the Procure-to-Pay process

Refer to Appendix A: Risk assessment and audit criteria for further details on the lines of enquiry and criteria used in this Audit Engagement. Refer to Appendix D: End notes.

Audit opinion

The agency's procurement function is undergoing significant changes to improve its overall processes. We reviewed CBSA policies and guidelines and found they were generally compliant with Treasury Board (TB) policies and directives. However, further improvement is required to strengthen the procurement function so that there is more emphasis on procurement planning, ensuring that the procurement teams are staffed to provide the strategic advice and oversight for contract management activities and also implementing proactive monitoring controls/processes to address gaps.

Statement of conformance

This audit engagement conforms to related TB's Policy and Directive on Internal Audit and the Institute of Internal Auditors' (IIA) International Professional Practices Framework (IPPF). Sufficient and appropriate evidence was gathered through various procedures to provide an audit level of assurance. The agency's internal audit function is independent and internal auditors performed their work with objectivity as defined by the IIA's International Standards for the Professional Practice of Internal Auditing.

Key findings

Procurement planning: The Procurement and Contracting Directorate (PCD) is not tracking unplanned/unforeseen procurement requests that are received and processed by the procurement officers. Capturing this information will allow the PCD to better understand the capacity required to respond to unforeseen needs and priorities.

Procurement capacity: A formal capacity assessment was not developed by PCD to assess whether the directorate has adequate resources with the appropriate level of skill to address the agency's annual procurement needs (core and emerging priorities), including succession planning and measures to respond to the heavy workload and stress experienced by the procurement officers.

Governance: During our audit there have been changes to the governance and oversight processes for overseeing procurements before the contracts are awarded. More time is needed to assess the effectiveness of the recent changes on the management of procurements.

Contract management: Generally key contract management activities are being executed by Cost Centre Managers (CCMs) in compliance with the applicable policies and guidance. However, review of contracts showed there are weaknesses in documenting justifications for amendments and some improvements can be made in monitoring and overseeing contracts.

Anti-fraud controls: The agency has implemented some anti-fraud controls to prevent and detect fraud, however it is not proactively monitoring systems and processes to identify potential instances of fraud or wrong-doing.

Summary of recommendations

Four recommendations are being proposed to strengthen the activities below (see Recommendations and management response section for full details).

Procurement planning by ensuring that branches and regions identify all relevant procurement requests in the procurement planning process and the volume of unplanned requests is better understood. Additionally, developing service standards and ensuring that workplace heath and employee retention is addressed will help ensure the agency's future procurement requirements can continue to be met.
Contract management by reinforcing expectations, verifying expectations and implementing corrective measures if needed.
Corporate culture and proactive monitoring by demonstrating the actions management has taken to address behaviour that does not align with CBSA values, and shifting from being reactive to proactive in terms of fraud management.
Segregation of duties (SOD) by validating the definition of conflicting roles, minimizing the approval of and cleaning up existing incompatible roles and monitoring those whose conflicting access is required for their day-to-day responsibilities.

Overall management response

The Finance and Corporate Management Branch thanks the Internal Audit and Evaluation Directorate for this audit and accepts the findings of this audit and has already launched a number of improvement initiatives in context of the other audit exercises that have been ongoing in parallel. The FCMB has developed a management improvement plan to strengthen the various agency controls including procurement planning and reporting, financial management and compliance mechanisms.

Audit findings

The audit resulted in the findings below.

Procurement planning

Identifying procurement needs early on allows the PCD to prioritize and plan their work to ensure the agency an acquire goods and services when they are required.

The FCMB's Corporate Planning and Risk Management division leads the annual Integrated Business Planning process at the agency, which entails:

Executive Committee setting key priorities for the year
Functional leads preparing Integrated Business Plan (IBP)
Branches and regions identifying their procurement needs

The agency's business line branches and enabling branches, will articulate their planned activities needed to deliver on the agency's priorities, including identifying regional needs to support operations.

We assessed whether procurement planning processes were in place and functioning to align procurement capacity with the agency's key priorities and related procurement needs.

Specifically, we assessed whether the agency has mechanisms in place to:

determine annual procurement needs
manage unforeseen priorities
deliver on planned procurement

Determining annual procurement needs

The PCD, as the enabling function for procurement and contracting services, has developed procurement planning templates, tools and resources to assist branches and regions with the identification of their annual procurement needs.

The PCD conducts meetings with the IBP planning coordinators from the branches and regions to share guidance and expectations for populating the procurement template and reviews information for completeness.

Fields to be populated in the procurement template include:

method of procurement
purchase requisition number
priority
required by date
total contract value
vendor name
if there are any indigenous, accessibility or green considerations, etc.

While data is reviewed for completeness, the PCD does not challenge the accuracy/validity of the information entered in the template during the IBP process, such as providing feedback on whether the procurement method is appropriate for the purchase, or inquiring whether there is an opportunity to procure from indigenous businesses, etc.

We reviewed 2023 to 2026 procurement plans prepared by two branches and two regions and found evidence that some elements of procurement strategy are considered early in the IBP process, for example, indigenous procurement. Precision on procurement details, such as green procurement considerations, supply chain transparency, etc., tends to be deferred to the pre-contractual phase.

The PCD indicated that the quality and relevance of the information provided by clients in their procurement plans has improved since the early client engagement (beginning summer of 2023).

However, the PCD also indicated that further improvements in planning could be realized by ensuring the right stakeholders are engaged at the planning stage to more accurately define their procurement needs. This sentiment was also echoed by the branch and regional planning coordinators.

IBP coordinators of two branches and two regions mentioned that the procedural requirements have evolved over the years. They are unclear what procurements should be included in the IBP^{Footnote 3}.

This lack of clarity on the expectation of the procurement planning exercise may lead to inconsistencies in the determination of the agency's procurement needs. This may impact the PCD's ability to plan their workload to deliver on the needs of the agency.

Once procurement plans are finalized, Procurement Managers and/or Procurement Team Leads conduct monthly meetings with their clients to discuss each procurement need, type of procurement method, timelines for submission, etc.

Managing unforeseen priorities

Due to the highly operational nature of the agency, not all high-priority procurements can be foreseen and planned. As a result, the PCD also receives and processes urgent or emergency^{Footnote 4} acquisitions for their procurement clients.

In all instances of urgent requests, the PCD will assess the nature of the request before immediately processing it through the regular procure-to-pay processes. True emergencies are given priority attention, and procurement clients are also informed that it may not be possible to accommodate if the client failed to properly plan ahead.

The PCD is currently not tracking the number of unplanned/urgent procurements completed and do not know how often this happens during the year.

Out of the 2,353 completed procurements during our scope period, we could not assess how many were unplanned procurements.
These unplanned requests divert the PCD's resources from planned procurements and/or increase a procurement officer's workload.
Tracking unplanned requests will allow the PCD to better determine the capacity needed to respond to evolving agency demands, as well as help the PCD to work with their clients to ensure that predictable needs are identified and unplanned procurements are minimized.

We were only able to trace 1 of 10 completed procurement back the procurement plan.

It is important to note that during IBP planning, some aspects of the procurement request may not be known (value, vendor, scope of service, etc.), making it difficult to trace the completed procurement back to the plan. Ultimately we could not conclude whether 9 of 10 procurements were unplanned or not well defined during IBP planning.

Capacity to deliver on planned procurement

The following affects the capacity to deliver on planned procurement.

Capacity assessment

A formal capacity assessment was not developed by the PCD to assess whether the directorate has adequate resources with the appropriate level of skill to address the agency's annual procurement needs.

While Management believes the directorate has the staff to address the core procurement needs of the agency, incremental needs / changes to priorities puts pressure on the PCD's ability to deliver procurement requests in a timely manner; and implement new initiatives / strategies or update guidance and policies.

For instance, effective quarter 1 of 2023, the TB Directive on the Management of Procurement included requirements to integrate human rights, the environment and social and corporate governance within procurements.

The PCD has not yet developed CBSA specific guidance/strategy to address these requirements due to other pressing priorities, for example, the procurement staff were required to respond to questions and documents stemming from internal and external audits in addition to their workload.

Furthermore, recently there has been significant public and Parliamentary scrutiny on the federal government procurement practices. This shows that there is an increasing importance to addressing capacity as the procurement function is now, more than ever, expected to play an important role beyond just processing transactional procurement requests by providing strategic advice that is focused on procuring efficiently and effectively.

Service standards

Communicated service standards can help clients understand expectations regarding the time required for the PCD to complete procurement and contracting processes before a good/service can be procured.

The PCD has not established service standards for different types of procurement requests.

The PCD is working to gather data in order to develop reliable service standards.

Clearly articulated service standards can help CCMs adjust their plans or expectations accordingly.

Workload of procurement staff

The information gathered on the procurement client's priorities/needs during the monthly meetings is used to assign workload to the procurement staff.

The procurement officer's workload is tracked in the PCD's workload management tool.

Files are assigned based on the seniority of an employee, with senior employees responsible for complex files and junior employees responsible for a higher number of less complex files.

We held focus groups and interviews with procurement staff who mentioned they felt stressed and pressured as a result of last minute client requests (that is unforeseen / unplanned requests).

Furthermore, our review of the 2022 Public Service Employee Survey results showed that CBSA procurement officers (classified as Purchasing and Supply (PG) group in the Government of Canada) reported being more stressed than their counterparts in other government departments:

PGs stressed due to the heavy workload: 73% agency vs. 34% Public Service
PGs felt their quality of work is impacted by high staff turnover: 70% agency vs. 37% Public Service

Overall the CBSA PG staff are more stressed by their workload and quality in comparison with PG staff across the public service; this can potentially impact their morale and desire to stay with the agency.

Procurement clients and IBP planning coordinators recognized that procurement officers assigned to their files seemed overwhelmed and were not able to always provide timely and quality service. One procurement client provided an example where approximately $5,000 in penalty/interest charges were incurred as a result of contract processing delays.

Some branches and regions (for example, Information, Science and Technology Branch's Border Technologies Innovation Directorate) had dedicated business planning/procurement units filling out procurement templates, submitting and following-up on requests on behalf of the procurement clients to the PCD in order to reduce any delays with processing.

Intelligence and Enforcement has a centralized function that has streamlined all the regional guard contracts into one master agreement with the vendor in order to eliminate negotiating or updating multiple contracts with the same vendor.

Presently, the PCD does not strategically review all of the agency's procurement needs in order to provide advice and strategies for the effective and efficient procurement of goods and services.

When we asked procurement clients, what challenges they face with the procurement officers assigned to their contracts, they mentioned the following (in order of frequency):

procurement officers were overwhelmed
not receiving timely service
did not receive updates on status of request
lack of clarity in the timelines

Recruitment and retention

The agency requires a sufficiently staffed procurement function to facilitate quality and timely procurements.

The PCD has experienced challenges hiring/retaining staff required to deliver on procurement priorities.

However, our analysis of the PCD's attrition rates showed that it was beginning to stabilize (12% in fiscal year 2022 to 2023 vs 32% in 2019 to 2020). This fiscal year, the PCD has been building capacity through recruitment and training to mitigate resource and expertise gaps.

While the team was stabilizing, our review of the 2022 Public Service Employee Survey results showed that compared to their counterparts in other government departments, CBSA PGs preferred to seek employment in another department vs staying at the CBSA long-term due to heavy workload and lack of resources:

PGs intended to leave their current position in the next two years: 39% agency vs. 34% Public Service
PGs intended to pursue a position in another department or agency: 47% agency vs. 27% Public Service

If employees leave, the PCD will lose valuable corporate knowledge, which will further impact their ability to deliver on the agency's priorities and needs.

It is important that the PCD's workload is commensurate with their capacity to deliver. Improvements in identifying planned procurement actions and aligning available capacity with planned demand by finalizing service standards and capacity assessments can better position the PCD to deliver quality services in a timely manner.

Furthermore, improved tracking of unplanned/urgent requests could help better understand the flex capacity required to respond to these demands. Over the long term, the use of accurate information can help the agency better plan procurement operations.

The recommendation can be found in the Recommendations and management response section.

Contract management

Contract management enables parties to meet their obligations and deliver on the objectives of the contract.

Effective contract management is critical to the ultimate success of a contract, which in turn contributes to securing value for money and demonstrating sound stewardship in program delivery as well as in the management of public funds.

Although contract management refers to the entire contracting process from pre-contractual through to post-contract, contract administration comprises observing and monitoring the contractor's performance, managing changes to the contract, maintaining contract-related documents, handling claims and disputes and closing out the contract.

Procurement at CBSA

The PCD provides national expertise and guidance on procurement of goods and services to all CBSA branches and regions across Canada.

During the period from April 2022 to July 2023, the agency procured 2,353 goods and services for a total value of $589 million. CBSA procures more services than other commodity types.

74% Services
26% Goods
0% Construction
- Source: Internal Audit, Corporate Administrative Systems (CAS) Extract for the period April 1, 2022 to July 25, 2023

The procurement phases at CBSA include:

Pre-contractual
Contract Award
Contract Management: Focus of the audit
Post-contractual

1 and 2: Involves activities performed to select a vendor and enter into a binding contract.

3 and 4: Involves activities performed after a contract is awarded, to ensure files are properly maintained and that the contractor meets the requirements of the contract.

We assessed whether CBSA policies and guidance for contract management were aligned with the Treasury Board (TB) Directive and applicable policies and guidance.

Policies and guidance

We performed a crosswalk between the CBSA Guide to the Management of Procurement, and other applicable internal documentation, and the TB Directive on the Management of Procurement to ensure that agency's requirements for contract management were defined.

Overall CBSA guidance is aligned with the TB Directive, however detailed descriptions of contract management activities are not included within the guide.

Additionally, during the audit's planning and examination phases, new requirements were added to the TB Directive on the Management of Procurement. The PCD is currently developing guidance to address the new requirements. For example, a new CBSA Indigenous Procurement Policy is planned to launch in April 2024^{Footnote 5}.

We found that the CBSA guide refers to applicable TB and PSPC publications which provide guidance, clarify roles and responsibilities, and outlines the requirements for Contracting Officers and Cost Centre Managers (CCMs). In addition, the Canada School of Public Service has several procurement related courses available which provide information on contract management.

On May 11, 2023, the CBSA President mandated all headquarter executives and managers with delegated financial authority to complete Canada School of Public Service procurement training, (regardless of whether they had already taken them). The courses covered the procurement process, key CCM roles and responsibilities related to managing procurements and exercising their delegated authorities. As of November 8, 2023, 766 executives and managers have completed this training.

99% Completion rate (Source: CBSA Delegation of Financial Authorities team as at November 8, 2023)

Assessment of contracting files

Contract administration includes a review of the activities performed after a contract has been awarded to ensure all requirements are being met. Specifically, we assessed whether the key contract management controls below were being executed by CCMs.

Key contract management activities - What we expected to see during our review (types of evidence^{Footnote 6})

Exercising Section 32 authority
- Section 32 is authorized by a delegated authority before a contract is awarded to commit funds against an appropriation before an expense is incurred.
Contract amendments
- The need for a contract amendment may be the result of negotiations, changes in the original requirement (such as updates with work schedules, payment provisions, contract clauses, etc.), or the need to address unforeseen events (such as extension of the contract term).
- The rationale for contract amendments that significantly changes the Statement of work (SOW) or work description specified in the original contract must be documented on file.
Monitoring the contract
- Monitoring the progress of the work is critical to ensuring that the contract stays on track and that milestones are met, services are provided as required, goods are delivered, or deliverables are provided in accordance with the terms and conditions of the contract. More specifically, Section 34 authorization relies on CCMs monitoring the contract and confirming that work was performed / received before payment is authorized. Additionally, proactive contract management can help identify potential problems before they escalate, and allow timely corrective action to be taken.
- For services:
  - Conducting and attending progress meetings with the consultant/contractor.
  - Examining interim work to ensure conformity with contract requirements and retaining evidence of CCM feedback provided on the interim deliverables.
  - Evidence of monitoring time, resource, cost and quality of the work against the statement of work or Task Authorization (TA).
- For goods:
  - Recording evidence the goods were delivered by the end date of the contract (such as email correspondence, taking pictures of the goods, etc.).
  - Entering goods receipt in CAS/Ariba in order to process the invoice.
Exercising Section 34 authority
- Section 34 is authorized by a delegated authority after the deliverables are received.
- For completed contracts:
  - Confirming all deliverables per the contract/agreement was received.
- For in-progress contracts:
  - Confirming charges per the invoice were for goods/services received.

Table 1: We selected 25 contracts ($28 million of contracts reviewed, of which 9 files (3%) were goods and 16 files (97%) were services) across 6 branches and 4 regions to assess whether the CCMs managed their contracts in alignment with the TB Directive and agency policies. We interviewed and obtained contracting information from CCMs in order to complete the following assessment.
Key contract management activities	Exercising Section 32 authority	Contract amendments^{Tablenote 1}	Monitoring the contract	Exercising Section 34 authority
Compliance	100%	40%	83%	87%
Files tested	25 / 25 files	2 / 5 files	20 / 24 files	20 / 23 files
Observations	No issues were noted with the individual authorizing Section 32	Contract amendment was not completed and approved before services were rendered Justification for the TA amendment was not clearly documented and amendments were not signed by Contracting Authority Evidence of justification and approval was not documented	CCM was monitoring the contract through the financial forecasting process, however no additional contract oversight on the quality of the deliverables, etc. was being performed CCM and Contracting Officer did not adequately monitor the contract which led to amendment and payment issues No documented evidence was provided to the audit team CCM is unable to monitor whether the services being received or rates charged in the invoice align with the contract, because they don't have access to the final signed contract	No issues were noted with the individual authorizing Section 34 Section 34 was not authorized in a timely manner due to issues with monitoring this file Consultant was not performing work at the appropriate level, as such, CCM was paying a higher per diem for the services being received CCM was confirming receipt of services and authorizing invoice to be paid without a copy of the contract
Table notes Table note 1 Amendment data also included administrative amendment (such as to decrease PO value) and exercise option years. These amendments have been excluded in the overall assessment of whether amendments were properly justified and approved. Return to footnote 1 referrer

The scope of our audit work included the most recently issued contracts which allowed the audit to assess whether recent initiatives taken by the agency to educate CCMs and Contracting Officers on their roles, responsibilities and accountabilities achieved in the desired results. In total, we found that 18 of 25 contracts were fully compliant.

Although we selected recent contracts, documentation was not always readily available for some contracts. We sent multiple requests for documentation to the CCMs and procurement officers involved in the contracts to obtain the documentation required to complete our assessment. Documentation was stored in emails, personal folders, etc. which may make it difficult to retrieve in the future.

No centralized location exists for where all contract management documentation is to be stored. It is important that this documentation be retained for the future to serve as evidence that due diligence in contract management was exercised.

Our analysis highlighted there were weaknesses with contract management, in particular:

certain contracts were amended without justification which increases the risk of overspending against the contract and non-compliance with applicable policies and requirements
some CCMs were not monitoring their contracts effectively to ensure that actual work delivered was in line with the contract
- This could impact the effectiveness of their Section 34 authorization, because there could be discrepancies between the expected deliverables and the work paid for
the monitoring of contracts by CCMs is not being overseen by the PCD or another compliance unit within the CBSA
- Without regular spot checks, CCMs who are not effectively managing their contracts may not be provided the support required to improve their contract management activities

Ineffective contracting management including lack of quality control over contract monitoring can result in low quality goods or services being delivered to the agency and increases the potential for contractual disputes.

Moreover, public funds may not be used in a prudent and efficient manner with attention to value for money, which can damage the agency's reputation.

The recommendation can be found in the Recommendations and management response section.

Governance and oversight

The TB Directive on Management of Procurement requires that effective governance and oversight mechanisms be in place to support the management of procurement. Effective governance can help mitigate high risk procurements.

The PCD implemented a Contract Review Board (CRB) in 2022. The CRB reviews high priority files and unplanned/emergency requests.

Additionally, to improve governance, effective November 2023, the agency implemented a three-tiered governance structure; the Contract Review Committee, the Executive Contract Review Board and the Executive Committee. The committees will provide oversight, review, challenge, and pre-approve procurement activities for the purpose of identifying and mitigating risks, as well as ensuring CBSA contracting operations are conducted in accordance with applicable Government of Canada procurement policies.

In July 2023, the PCD developed a draft Procurement Risk Matrix template to determine a risk level for each procurement file (that is before contract is awarded) which includes the following risk categories:

Type of procurement strategy – reoccurrence, pre-solicitation, emergency
Timeframe of the contract / Task Authorization (TA)
Urgency
Vendor selection – repeat contracts, sub-contracting

Furthermore, effective November 28, 2023, PSPC has taken over more oversight for the issuance of professional services contracting.

All delegated authority for departmental issuance of TAs against contracts awarded by PSPC was revoked due to issues identified in the CBSA contract award process. Every new TA issued under certain standing offers or supply arrangements now requires PSPC approval. Similarly, any TA amendment that increases the value of a TA will also require PSPC approval.

Additionally, PSPC will be the contracting authority for all TAs greater than $2 million.

Updates to the governance structure may help improve executive oversight before contracts are awarded. As the new governance structure and procurement risk matrix was recently implemented, it was too early to assess how effective they were.

However, given that the new governance structure focuses on contract award, CCMs will play a critical role in ensuring that the contract management phase is well overseen.

Procurement fraud assessment

"Fraud can be defined as any illegal act characterized by deceit, concealment, or violation of trust."

(Source: IIA, January 2019)

According to the Association of Certified Fraud Examiners (ACFE), procurement fraud, can occur during different phases of the procurement and contracting process such as during contract award, delivery of good/services, and payment for goods and services. Organizations can be defrauded through collusion among bidders, between employers and contractors, and by employees. Appropriate controls and fraud prevention strategies are necessary to help prevent fraud.

We reviewed fraud literature issued by ACFE, the IIA and other reputable sources in order to identify potential procurement and contracting fraud schemes that may be relevant to the agency's operations. Our audit focused on potential areas of fraud occurring during the post contract award by vendors and employees. Potential fraud schemes that can be perpetuated by these groups include: conflicts of interest, corruption, processing duplicate payments intentionally, fictitious invoices and phantom vendors.

Based on an understanding of the potential fraud schemes, we performed the following audit procedures to identify and assess whether the agency had mechanisms in place to prevent and detect fraud in contracting and procurement processes:

Identification of anti-fraud controls
Assessment of anti-fraud controls
Data analysis to identify fraud Indicators

Most Common Anti-Fraud Controls in Government Organizations across the world for 2022 include:

85% Code of conduct
74% Internal controls over financial reporting
71% Fraud hotline
67% Management review
59% Fraud training (employees and executives)
40% Proactive data monitoring / analysis

(Source: ACFE 2022 Report to Nations)

Identification of anti-fraud controls

We expected that the agency has developed preventive and detective controls to make it more difficult for fraud to occur and to identify procurement related fraud.

We analyzed the agency's corporate documents, such as the fraud risk profile, policies and frameworks, as well as central government directives to identify the following anti-fraud controls:

Frameworks and codes of conduct

The agency's Code of Conduct, TB Values and Ethics Code for the Public Sector, TB Directive on Conflict of Interest and Supply Manual – Code of Conduct for Procurement, provide employees with guidance to exercise their roles and responsibilities with prudence and probity.

The Internal Fraud Management Framework provides direction and guidance to reduce the risk of internal fraud by identifying the CBSA's obligations and outlining fraud management activities within the agency.

The agency's Disciplinary Measures Framework is available to employees and provides guidance on discipline and misconduct, which can potentially deter fraud or conflict of interest from occurring.

The agency's Procure-to-Pay process has a risk-based system of internal controls over financial reporting which includes controls to prevent fraud^{Footnote 7}.

The fraud risk profile

The FCMB's Corporate Planning and Risk Management Division team prepares a Fraud Risk Profile, which includes an assessment of departmental risks and controls, and recommends whether controls should be strengthened. The 2021 Fraud Risk Profile for procurement fraud and conflict of interest identified the following controls in place at the CBSA which would help prevent procurement fraud:

Contract Review Board
Risk Assessment of all procurement requests
Procurement Planning through IBP
Mandatory Values and Ethics and procurement training
Delegation of Authority (Section 32 and 34), including training to learn about roles and responsibilities, and accountabilities
Quality assurance monitoring on Section 34 authorizations by Internal Controls and Accounts Payable teams within FCMB

While the Fraud Risk Profile identified these controls as being in place, this audit did not test all of the above controls to assess whether they were operating effectively.

Monitoring and employee reporting of fraud

The CBSA Internal Fraud Hotline is available for employees to report instances of misconduct/fraud. This hot line is monitored by the FCMB's Security and Professional Standards Analysis team.

Two complaints were received on the hotline (in April and June 2023) for the current fiscal year and did not pertain to contracting / procurement or conflict of interest.

In addition to the fraud reporting hotline, other mechanisms exist for employees to confidentially report and investigate suspected wrongdoing. CBSA's Security and Professional Standards Directorate is responsible for investigating violations of the Values and Ethics Code.

According to the ACFE, organizations with a fraud hotline or reporting mechanism increases the chances of early fraud detection and reduces losses.

However, the agency's low uptake of the hotline may indicate low awareness among CBSA employees, lack of trust in the internal process, or use of other available mechanisms.

The agency is not proactively monitoring or assessing systems/processes to detect instances of potential wrong-doing or misconduct related to procurement fraud or conflict of interest, due to challenges accessing data as well the quality of data available.

A lack of proactive monitoring may allow undetected fraud or wrongdoing to remain undetected. Detection is one of the most important keys to fraud prevention because increased perception that fraud will be detected can serve as a deterrent.

The agency's Security and Professional Standards Directorate has prepared an Annual Report on Administrative Investigations which provides information relating to employee misconduct administrative investigations conducted across the CBSA, identifies trends and will assists agency senior management in their efforts to foster a workplace and workforce that exemplifies the CBSA values.

Management plans to distribute this report to all agency employees by March 31, 2024. The publication of this report can serve as a deterrent to fraud by demonstrating the consequences of engaging in unethical behaviour.

Assessment of anti-fraud controls

We expected that the agency's anti-fraud controls to prevent and detect fraud are working as intended.

We tested the following key anti-fraud controls:

Key contract management controls
Maintenance of Vendor data in the systems
Tone at the top
Segregation of duties in the procure-to-pay systems

1. Key contract management controls

Per the results in the Contract management section, our analysis showed weaknesses with two key controls: 1) justification for amendments and 2) monitoring over contracts. Control weaknesses of this nature can provide a greater opportunity for vendor fraud to occur.

2. Maintenance of vendor data

Since 2021, FCMB's SAP Systems Management team has the responsibility for maintaining vendor data in the agency's Corporate Administrative Systems (CAS)^{Footnote 8}.

We extracted CAS vendor data as at June 2023 and our analysis found:

some vendor records were missing information, for example, missing street address, postal code, etc.
some vendors have more than two entries (that is same vendor name, address, etc.)

Management is currently in the process of cleaning up duplicate vendor records (entered by CBSA employees) in the vendor master data.

We stratified the vendor master data population into vendors with only P.O. Box information, blank fields, and incomplete information and selected 15 vendors to test whether any of them were fictitious by verifying their online presence (website, registration with Business Bureau, records with Canada Revenue Agency (CRA), etc.), calling them to confirm they were legitimate and reviewing transactions with the vendor in CAS.

Our tests indicated they were all legitimate vendors.

3. Tone at the top

Leadership involves setting the tone at the top throughout the organization. This plays a crucial role in creating a culture within an organization whereby employees embrace practices such as acting with integrity, responsible stewardship of public resources and ensuring decisions and actions are transparent.

We held focus groups and interviews with procurement staff to determine whether procurement clients put pressure on procurement staff to engage in activities that would contravene the Values and Ethics Code.

Procurement staff agreed that from time to time they encountered pressure from their clients to action their requests. When clients pressured them, procurement staff involved their management, who supported them by having discussions with clients to clarify procedural expectations and timelines.

In the past, procurement staff identified and stopped attempts at payrolling^{Footnote 9} and contract splitting^{Footnote 10} by procurement clients, two practices that would contravene the values and ethics code.

The PCD has made efforts to increase the education/awareness of procurement officers to identify these practices and ensure the correct procurement decisions are taken.

In our review of the 2022 Public Service Employee Survey results:

45% of CBSA employees agreed that senior management lead by example in ethical behaviour
- comparatively, the CBSA response rate is less than the average Public Service response of 65%
50% of CBSA employees agreed that their department or agency does a good job of promoting values and ethics in the workplace
- comparatively, the CBSA response rate is less than the average Public Service response of 71%

These results indicate that continued effort is required to ensure that all agency employees understand and can see management's commitment to a culture of ethical behaviour.

We reviewed the results of professional standards investigations related to contracting and conflict of interest. As of November 2023 two investigations related to conflict of interest were concluded.

The 1st allegation related to kickbacks was not substantiated.

The 2nd allegation resulted in an investigation related to improper contracting practices. The investigation is still ongoing, however preliminary findings indicate that there were serious breaches of policies and practices in all phases of the procurement process, including a lack of governance and oversight over the integrity of the process. The agency is taking measures to prevent future instances by implementing a tiered governance structure with thresholds to review and approve contracts. Other measures may be implemented once the investigation is concluded.

4. Segregation of duties (SOD)

SOD is a key element of internal controls, whereby incompatible roles through which fraud or errors might occur are prevented or monitored. In other words, users in a system are prevented from having total or unnecessary access to incompatible parts of a process. The restriction in access is designed so users cannot initiate unauthorized transactions.

SOD at the CBSA

In order to be able to perform a task in CAS/Ariba, an employee must request access to specific roles which will be approved by a business process owner. Each role granted has various combinations of actions and permissions associated with it.

We interviewed FCMB's SAP Systems and Internal Control teams to understand how SOD within the procure-to-pay systems is managed.

SAP Systems uses SOD Matrix developed by the CRA to identify roles that are in conflict. The SOD matrix was not vetted by CBSA business process owners and therefore may not reflect CBSA's operating reality and system of internal controls, that is, a conflicting role in CRA's environment may not be reflective of the agency's operations.

The SOD Matrix as of January 16, 2023 identifies 168 conflicts. For example:

the role allowing a user access to approve an invoice/contract to be paid (Section 34) is in conflict with the role to approve/release payments (that is, Section 33 delegated authority)

Testing of SOD conflicts

In July 2023, SAP Systems developed a SOD Violations report that is currently in the testing phase.

This report is expected to be used by the functional lead (currently undetermined) to monitor which users have conflicting roles.

We reviewed the August 2023 SOD Violations report and also independently extracted CAS reports (as at August 15, 2023) for the roles in the SOD Matrix to analyze whether users had conflicting roles.

Our analysis identified 158 users had conflicts, and we found 14 users had access to multiple CAS roles (2 or more) that were considered high risk^{Footnote 11} as they created the opportunity for fraud. Of these 14 users, 7 users had access to roles that may allow them to authorize both Section 33 and 34 on the same transaction. This segregation issue is a violation the Financial Administration Act.

Overall, our analysis concluded that the SOD matrix has not been widely shared and communicated with all the business process owners who grant access to the roles. As a result, approvals for role requests were given without due diligence verifications to ensure that appropriate safeguards are in place as required.

We found instances where employees changed positions and would no longer need access to the CAS roles they were given for their previous positions. These roles were not revoked from the employee's CAS profiles.

The CBSA conducts the Access Review and Certification which is a mandatory activity by which managers and supervisors review the system access permissions of their direct reports to ensure employees only have the system access permissions required to perform their duties. Access that is no longer required is expected be promptly removed. While we did not audit the Access Review and Certification process in detail, due to the number of conflicts we observed, managers may not be diligently removing unnecessary access.

We also found that accountability was not yet defined by SAP Systems for revoking access nor were the activities/transactions of users with incompatible roles being monitored.

Public Service Employee Survey results show that the agency's corporate culture/tone at the top can be improved. Failure to address real or perceived gaps in values and ethics can create an environment where employees perceive a lack of senior management commitment to act with integrity and an environment which permits fraudulent and or unethical behaviour to occur.

Strengthening controls to reduce the likelihood that incompatible roles will be issued, proactively monitoring high risk users with incompatible roles and other trends that could be indicative of fraud can help prevent financial losses and reputational damages.

The recommendation can be found in the Recommendations and management response section.

Data analysis to identify fraud indicators

By examining data from various sources, fraud data analytics can provide organizations with new insights about potential risks and empowering them to predict, detect, and prevent fraudulent transactions.

We reviewed available data for the last fiscal year in order to determine whether indicators of fraud were present by identifying and assessing fraud indicators. We performed the following analysis/tests:

Leading digits (Benford's law)
Round digits and duplicate invoices
Information technology systems tickets logged by employees

Note: the absence of fraud indicators does not mean fraud is not occurring.

Leading digits (Benford's law)^{Footnote 12}

Benford's law can be used to detect fraud by comparing the leading digits of actual financial transaction data to an expected distribution.

We assessed whether accounts payable data fell within Benford's law parameters. Our initial analysis showed abnormal variation; some of the digits occurred more frequently than the expected distribution per Benford's law.

We conducted further analysis to understand the abnormal variation by looking at the data and associated transactions. We found that:

the agency engages in repetitive activities (such as the use of translation or interpretation services which caused some leading digits to occur more frequently)
the data set also included goods/invoice receipt clearing accounts and tax general ledger accounts, which resulted in doubling the frequency of some transactions that appeared

Overall this analysis did not identify any potential fraud indicators or abnormal transactions.

Round digits

When an individual commits financial fraud, research from the American Institute of Certified Public Accountants shows they often fabricates amounts that are round numbers (for example, entering a fraudulent invoice for $100). Round numbers do not occur often in financial data due to taxes being applied.

We analyzed 10 round digit transactions (for example, transaction amounts of $100, $500, $40,000, etc.) and reviewed supporting documentation such as invoices, contracts, email exchanges, etc. to ascertain whether the transactions were legitimate.

Our analysis, found that all transactions had documentation to support their validity and accuracy.

Duplicate payments

A duplicate payment is when money is sent to the same vendor twice, either through a single payment or multiple payments.

Duplicate payments are not always considered to be fraudulent, depending on the circumstances. However, an employee with access to incompatible roles may intentionally circumvent controls in order to divert the payments to themselves or others.

We expected that the system and manual controls would stop duplicate payments from occurring.

Potential duplicate transactions from Accounts Payable data (where two or more transactions contained the same information in key fields like invoice number, invoice date, document number, vendor name, etc.) was extracted for further analysis.

We selected 10 pairs of transactions to validate they were not fraudulent by obtaining supporting documentation such as the invoices and contract.

Our analysis identified 2 of 10 pairs of transactions as being duplicates. For the two duplicate transactions, we found that the CAS Systems controls did not prevent the duplicate invoices from being processed.

CAS has built-in system controls that will prompt an error message to the user when they are processing an invoice with the same vendor, invoice number, and payment amount. [redacted]

Additionally, one set of duplicate transactions was approved by the same CCM. Per policies and guidance, when authorizing Section 34, CCMs are expected to ensure the invoice has not yet been paid. There was no indication the CCM intentionally approved a duplicate invoice to be paid, however, the CCM did not verify that invoice was not already paid before authorizing Section 34.

Given that duplicate payments can be easily made in the financial system, that some users have multiple conflicting roles [redacted], the opportunity to engage in fraud exists.

Information technology systems tickets

We extracted and analyzed tickets logged by employees to identify whether recurring system issues existed and whether there were any system vulnerabilities that could be leveraged for fraudulent purposes.

Our work focused on the high and medium priority tickets which we categorized by type of issue, for example, system error, user error, access issues, possible manual over-ride, etc.

Our analysis of the tickets did not indicate there was any known system vulnerabilities that could be exploited for the purposes of circumventing controls.

The most common ticket logged are issues with processing invoices in SAP Ariba / CAS, because the employees processed the invoices in the wrong system.

We did not complete end to end testing of the SAP Ariba and payment systems, however FCMB's Internal Controls group completed a design and operating effectiveness test of the system in 2023. They issued recommendations to the PCD to address system issues related to authorizations of Section 32 and 34.

Even though the audit tests did not identify any indications of fraud, we found that the vulnerabilities with system access and manual controls could allow users with high levels of access to circumvent controls and commit fraud.

The recommendation can be found in the Recommendations and management response section.

Recommendations and management response

These are the recommendations and the management response.

Recommendation 1: Procurement planning

Audit findings

The Vice-President of FCMB should strengthen the procurement planning process by:

tracking unplanned procurement requests and use this data to determine required procurement capacity
assessing the PCD's capacity including developing and communicating services standards to the agency for each procurement type
assessing workplace health and determining the measures required to help improve employee retention
modifying and communicating existing guidance to CCMs to clarify the level of detail required for planned procurement as part of the IBP exercise
reviewing planned procurements with a strategic focus to identify potential efficiencies, provide advice/recommendations and plan for longer-term procurement needs

Management response

Agreed. The FCMB recognizes that a strong procurement planning process ensures both short term and long term value for money. The CBSA's improved governance over procurement will review and approve Branch Procurement Plans, to be included in each Branch Integrated Business Plan.

Completion Date: April 2025

Recommendation 2: Contract management

Audit Findings

The Vice-President of FCMB should strengthen the contract management processes by:

communicating the expectations for monitoring contracts to all delegated CCMs
developing a centralized storage solution for all required contract management documentation
periodically conducting spot checks to verify that contract management activities are occurring, as well imposing corrective actions where/if required

Management response

Agreed. The FCMB recognizes the need to strengthen contract management processes. The CBSA's procurement function was nationalized in March 2021, and regrouped under one organization. This new central organization, the CBSA Procurement and Contracting Directorate, has since launched a comprehensive improvement plan to further strengthen management controls at all levels across the agency and it has already improved governance across the procurement functions.

Completion Date: December 2024

Recommendation 3: Proactive monitoring

Audit Findings

The Vice-President of FCMB should strengthen the agency's efforts to reduce the risk of fraud by developing measures to proactively monitor systems and processes to identify and mitigate potential instances of fraud, including sharing the results of any misconduct or wrong doing investigations or quality assurance activities with all CBSA employees to demonstrate the efforts taken to address unethical behaviours.

Management response

Agreed. The Vice President of FCMB will continue ongoing efforts to proactively monitor systems through proactive data analytics. FCMB will complete an assessment of fraud-related risks (including procurement) and determine what more can be done to prevent the occurrence of fraud and to mitigate fraud, such as improving fraud reporting by replacing the existing fraud reporting telephone hotline with an available online solution, and enhancing communication on its use with employees.

Completion Date: September 2024

Recommendation 4: Segregation of duties

Audit Findings

The Vice-President of FCMB should:

in consultation with Business Process Owners, review the SOD Matrix to confirm conflicting roles
review the role approval process to ensure that incompatible roles are not granted, and justification is obtained if incompatible roles are required
[redacted]

Management response

Agreed. The Vice-President of the FCMB will, in consultation with other subject matter experts, develop business processes to assign, manage and review the SOD related to roles management. This will provide reasonable assurance to ensure access privileges are well managed and that mitigation strategies exist for granted exceptions to minimize the risk of fraud. The agency will also be moving to SAP4/ HANA which will allow a more efficient way to manage system accesses in the long run.

Completion Date: December 2024

Conclusion

The agency has developed processes and guidance that allow it to plan and manage its procurements and contracts in compliance with the TB Directive, policies and other applicable regulations. While the processes are evolving, the agency should further strengthen the effectiveness of the contracting and procurement function by:

accurately determining the agency's procurement needs and assessing whether the PCD has the capacity to deliver these needs
establishing and communicating service standards for procurement activities
preventing incompatible roles from being issued, removing unnecessary system access [redacted]
ensuring the CCMs are appropriately overseeing the contracts they are managing

Finally, improving preventive and proactive monitoring controls can help strengthen controls and improve tone at the top.

Appendix A: Risk assessment and audit criteria

Table 2: A preliminary risk assessment was conducted during the audit planning phase to identify potential areas of risk as well as audit priorities, which were used to develop the audit objective, scope and criteria:
Risk statement	Line of enquiry	Audit criteria
Procurement capacity and operational needs may not be aligned with the agency's priorities.	1.0 Procurement planning	1.1 Processes are in place and functioning to align procurement capacity with the agency's key priorities and related procurement needs.
Contract management activities (including contract administration, amendments, exercising delegated authority, monitoring activities, etc.) may not be conducted in a fair, open and transparent manner by the business owners.	2.0 Contract management	2.1 Contract management and monitoring activities are conducted in compliance with Treasury Board requirements.
The procurement process may be vulnerable to conflicts of interest, collusion or corruption, including internal and external pressures that may influence procurement decisions.	3.0 Values and ethics, and fraud	3.1 The agency has mechanisms in place to prevent and manage conflicts of interests or wrongdoing in contracting and procurement. 3.2 The agency's controls to prevent fraud and wrongdoing are working as intended.

Appendix B: Previous audits and reviews

The following audits and review were conducted in 2023 on CBSA's contracting practices. Although the topics reviewed in these reports were scoped out (ArriveCan and pre-contract management phases), some of the findings and recommendations raised in the reports have relevance to this audit and have been highlighted below.

Office of the Procurement Ombud: Procurement Practice Review of ArriveCAN

This review was undertaken to determine whether procurement practices pertaining to contracts associated with the creation, implementation, or maintenance of ArriveCAN were conducted in a fair, open and transparent manner. This included procurements conducted by the CBSA on its own behalf as well as those conducted by Public Services and Procurement Canada (PSPC) and Shared Services Canada (SSC) on behalf of the CBSA.

Summary of findings:

The Procurement Ombud found practices for awarding competitive and non-competitive contracts, for issuing TAs and service orders, and for proactive publication of contract information that were inconsistent with government policy and that threatened fairness, openness and transparency of government procurement. The Procurement Ombud has made 13 recommendations to the CBSA, PSPC, and SSC to address the issues identified with procurement practices associated with the ArriveCAN application. Specifically, CBSA has been identified in 5 recommendations.

Office of the Auditor General: Audit Of ArriveCAN

This audit sought to determine whether the CBSA, Public Health Agency of Canada (PHAC), and PSPC managed all aspects of the ArriveCAN tool, including procurement and expected deliverables, with due regard for economy, efficiency, and effectiveness.

Summary of findings:

The Auditor General found that the CBSA, PHAC, and PSPC did not manage all aspects of ArriveCAN sufficiently with regards with value for money, specifically, identifying weaknesses in procurement and contracting, file management, and oversight over deliverables. This also prevented the Auditor General from attributing a precise cost to ArriveCAN. The Auditor General has made eight recommendations to address the findings, including gaps in the pre-contract management phase.

CBSA Internal Audit of Federal Government Consulting Contracts Awarded to McKinsey & Company

At the request of the Office of the Comptroller General (OCG), the CBSA's Internal Audit Division conducted an audit to determine whether, for the contracts relating to McKinsey, the CBSA procurement process was conducted in a fair, open and transparent manner, with integrity and in adhere with relevant governmental policies, directives and regulations. FCMB is currently implementing management action plans to address findings related to procurement file documentation, greater assurance over the Section 34 authority, increasing management's awareness surrounding contracting rules; and increasing oversight over the use of Standing Offers and Supply Arrangements in a risk-based manner.

Note: Recommendations proposed in the reports and related management action remain outstanding and timing is to be determined for follow-up on completion by other government departments and CBSA. The recommendations issued in the CBSA McKinsey audit report are being implemented by management.

Appendix C: Acronyms

ACFE: Association of Certified Fraud Examiners
CAS: Corporate Administrative Systems
CBSA: Canada Border Services Agency
CCM: Cost Centre Managers
CRA: Canada Revenue Agency
FCMB: Finance and Corporate Management Branch
IBP: Integrated Business Plan
IIA: Institute of Internal Auditors
PCD: Procurement and Contracting Directorate
PG: Purchasing and Supply
PSPC: Public Services and Procurement Canada
SOD: Segregation of Duties
TA: Task Authorization
TB: Treasury Board

Appendix D: End notes

Footnotes

Footnote 1

Contract is a binding agreement entered into by a contracting authority and a contractor to procure a good, service or construction. Appendix C: Definitions - Policy on the Planning and Management of Investments

Return to footnote 1 referrer

Footnote 2

Procurement is defined by the Treasury Board Secretariat (TBS) as the process related to obtaining goods, services or construction from planning to the completion of the procurement life cycle (that is planning, acquisition and execution, use and maintenance, and disposal and close out phases of procurement). Appendix C: Definitions - Policy on the Planning and Management of Investments

Return to footnote 2 referrer

Footnote 3

That is, only new procurements, or procurements above a certain threshold, or only procurements attached to agency priorities, or contracts that need to be renewed in the upcoming year, etc.

Return to footnote 3 referrer

Footnote 4

Per PSPC's Supply Manual, an urgent or pressing emergency is defined as those acquisitions where an undue delay could have a significant economic impact, an effect on health and safety programs, or a risk of not meeting an important project/program milestone. (subsections 3.21 and 3.22). For example, in 2023, Provinces notified the CBSA, they would cease housing immigration detainees on behalf of the agency. In light of this decision, CBSA implemented an emergency plan to house a number higher risk individuals by fall 2023 Key issues: Ministerial transition 2023. This procurement need was not included in procurement plans and involved quickly securing immigration holding centres, procuring additional capacity/guards to monitor the detainees, etc.

Return to footnote 4 referrer

Footnote 5

2023-06-15 FIMC 02 2023-2024 Procurement Plan revised-E.pdf

Return to footnote 5 referrer

Footnote 6

The level of effort required for contract management will vary depending on the value and complexity of the procurement. Low dollar value or simple contracts may require only minimum management, while more complex contracts will require continuous monitoring by both the client and the contracting officer.

Return to footnote 6 referrer

Footnote 7

The Audit of Internal Controls Over Financial Reporting (2023) has identified gaps in the areas of the of internal controls over financial reporting management framework and its methodologies, internal control assessments, and monitoring and reporting.

Return to footnote 7 referrer

Footnote 8

The CBSA has a Memorandum of Understanding with the Canada Revenue Agency (CRA) for information technology services, which allows the agency to use CRA's Corporate Administrative Systems (CAS). As such, CRA hosts and maintains CAS for the CBSA. Corporate Administrative Systems (CAS) and SAP Ariba are two systems that facilitate the procure-to-pay process, allowing individuals to: maintain vendor information; enter, modify and approve contracts; review and approve payments and enter and modify financial information.

Return to footnote 8 referrer

Footnote 9

Payrolling is the practice by which firms are asked, or are suggested, by federal government departments or agencies to employ specific individuals who are then assigned to provide services to that government or agency under a contract. This would create an employer-employee relationship for the agency, who will then owe employee deductions (CPP or EI premiums, etc.). For example, includes a client request to sole source with a vendor because they wanted a specific resource to perform the services. This request was denied by the procurement staff, they provided the definition of payrolling to the client and told them now they will have to compete for the requirement.

Return to footnote 9 referrer

Footnote 10

Contract Splitting is issuing a contract for an amount within a delegated level of authority and then subsequently amending the contract to avoid bids or to circumvent a required approval. For example, after a contract with a vendor ended, the client submitted a similar request again. The Procurement staff informed the client this was contract splitting and that they will have to compete the contract again or use an existing call-up.

Return to footnote 10 referrer

Footnote 11

That is some users not only had roles that were in conflict per the SOD Matrix, they also had access to other CAS Roles, which allows them to do everything in the procure-to-pay continuum (create vendor, create invoice, approve invoice for payment, release payment, post accounting records/post journal entries), which indicates that multiple roles allow a user to perform various actions, which can all be in conflict. For example, we found two individuals have access to CAS roles that allow them to create/update vendor data, update banking information, create and approve invoices, etc. giving them an opportunity to commit fraud. Their current positions (that is Targeting Officer, Portfolio Security Manager) are not in line with the CAS roles they have access to. These two user's access to incompatible roles were revoked after we brought them to management's attention.

Return to footnote 11 referrer

Footnote 12

Benford's law to detect numeric amounts that don't fit expected patterns. That is, it describes the relative frequency distribution for leading digits of numbers in datasets. Leading digits with smaller values occur more frequently than larger values. When people manipulate numbers/submit fake invoices, they don't track the frequencies of their fake leading digits, producing an unnatural distribution of leading digits. If we know the normal frequency of digits, then we can identify digit frequencies that violate that normal behavior. For example, out of a group of numbers, the first digit will be "1" about 30% of the time. Similarly, using the same function, we can expect the first digit to be "8" about 5.1% of the time.

Return to footnote 12 referrer

Page details

Date modified:: 2024-11-13

Audit of contracting and procurement

Introduction

Significance of this audit

Audit objective and scope

Audit scope

Scope exclusions

Audit methodology

Audit opinion

Statement of conformance

Key findings

Summary of recommendations

Overall management response

Audit findings

Procurement planning

Determining annual procurement needs

Managing unforeseen priorities

Capacity to deliver on planned procurement

Capacity assessment

Service standards

Workload of procurement staff

Recruitment and retention

Contract management

Procurement at CBSA

Policies and guidance

Assessment of contracting files

Key contract management activities - What we expected to see during our review (types of evidenceFootnote 6)

Governance and oversight

Procurement fraud assessment

Identification of anti-fraud controls

Frameworks and codes of conduct

The fraud risk profile

Monitoring and employee reporting of fraud

Assessment of anti-fraud controls

SOD at the CBSA

Testing of SOD conflicts

Data analysis to identify fraud indicators

Leading digits (Benford's law)Footnote 12

Round digits

Duplicate payments

Information technology systems tickets

Recommendations and management response

Recommendation 1: Procurement planning

Recommendation 2: Contract management

Recommendation 3: Proactive monitoring

Recommendation 4: Segregation of duties

Conclusion

Appendix A: Risk assessment and audit criteria

Appendix B: Previous audits and reviews

Office of the Procurement Ombud: Procurement Practice Review of ArriveCAN

Office of the Auditor General: Audit Of ArriveCAN

CBSA Internal Audit of Federal Government Consulting Contracts Awarded to McKinsey & Company

Appendix C: Acronyms

Appendix D: End notes

Page details

Key contract management activities - What we expected to see during our review (types of evidence^{Footnote 6})

Leading digits (Benford's law)^{Footnote 12}